Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Topics
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Topics
All Topics
12-01-2022
01:03 AM
i have a table who contain multiple keys and value one of them keys{"body"} value are below:
"body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"f33b9756-bc6b-5efc-8111-cca792b8d4f3\",\n ...
See more...
i have a table who contain multiple keys and value one of them keys{"body"} value are below:
"body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"f33b9756-bc6b-5efc-8111-cca792b8d4f3\",\n \"TopicArn\" : \"arn:aws:sns:eu-central-1:108770896200:PL-PRD-notification-media\",\n \"Message\" : \"{\\\"licenseValidFrom\\\":\\\"2022-11-18T07:56:18.760+01:00\\\",\\\"licenseValidUntil\\\": \\\"3022-03-21T07:56:18.760+01:00\\\",\\\"hasCopyright\\\":\\\"False\\\",\\\"resolutionInPx\\\": \\\"685x1664\\\",\\\"resolutionKey\\\":\\\"ORIGINAL\\\",\\\"checksum\\\":\\\"35a63f43ec3088c9cf01b6c5473f1436\\\", \\\"description\\\": \\\"Jewelry Full\\\", \\\"brand\\\": \\\"\\\", \\\"category\\\": \\\"\\\", \\\"mediaType\\\": \\\"AdditionalImage\\\", \\\"status\\\": \\\"Media.Active.490.Finished\\\", \\\"gtin\\\": \\\"9009656409602\\\", \\\"channel\\\": \\\"gkkDigitalDataManagement\\\", \\\"mediaId\\\": \\\"06\\\", \\\"contentType\\\": \\\"image/jpeg\\\"}\",\n \"Timestamp\" : \"2022-11-18T06:56:19.980Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"AySfxHK6Y3ZSA7BsgR7sFHva82snBuenk74ZMJ5HzewU4ozOg8PDOnjeBAY0FLbFxomWOEVIzNWp9yW8Ti9lWWNpdzeMd4MYUhN/a0tLwce1Dk0xdAlsM9DByiJHUTWj1QkvUsaJChMaDfZOyFwZNhvHBbtC9W/Y9AtcZnS9ahz8bQBvxIZv/Xb7tK/g0pvOJ2Nx633TN1UStYshQef8g1cV+q4Ey0fMRr9l/K00POuBUCcGZRRXTiGaqVOTWk08ARFsW5a9Iz28kaBz4PDFNdCALgnwdZ65m6k2HL8fYW5O7gvxEqAOLnYcPsX8XLiV20tSd2NBgoytq5f3IxAbsw==\",\n \"MessageAttributes\" : {\n \"channel\" : {\"Type\":\"String\",\"Value\":\"gkkDigitalDataManagement\"},\n \"mediaStatus\" : {\"Type\":\"String\",\"Value\":\"Media.Active.490.Finished\"},\n \"mediaType\" : {\"Type\":\"String\",\"Value\":\"AdditionalImage\"}\n }\n}",
want to retrieve [gtin: 9009656409602] in a separate table
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
-
table
12-01-2022
01:01 AM
Hi, I am working on use case which has following requirements
1. high number of connections to external DNS IPs from non-authortized internal DNS servers (i.e. end users or even servers)
2. conne...
See more...
Hi, I am working on use case which has following requirements
1. high number of connections to external DNS IPs from non-authortized internal DNS servers (i.e. end users or even servers)
2. connections have higher upload versus download bytes
I am developing query as
index=*_fw_* (src=internal_ips) NOT (dest=external_ips) AND (dest_port=53) bytes_out>0
| eventstats sum(bytes_out) AS total_bytes_out by src
| eventstats sum(bytes_in) AS total_bytes_in by src
| where total_bytes_out > total_bytes_in
| stats count by src _time dest dest_port total_bytes_out total_bytes_in sourcetype host app dstcountry ftnt_action index osname packets_out packets_in policyname product service srcmac src_translated_ip srcname subtype eventtype transport user vd vendor vendor_action _raw
| sort - total_bytes_out | uniq
But I'm getting same source and destination IPs repeated or duplicate entries.
I want to view by grouping source ips such that only unique source IPs will be displayed along with all other fields.
12-01-2022
12:02 AM
Hi , i want to calculate count based on the condition , like in the below query if the event is 'sync' then the 'failed' count should fetch from source="*gps-request-processor-test*" if the e...
See more...
Hi , i want to calculate count based on the condition , like in the below query if the event is 'sync' then the 'failed' count should fetch from source="*gps-request-processor-test*" if the event is 'Async' then the 'failed' count should fetch from source="*gps-external-processor-test*" OR source="*gps-artifact-processor-test*" index="*dockerlogs*" source="*gps-request-processor-test*" OR source="*gps-external-processor-test*" OR source="*gps-artifact-processor-test*" event="*Request" documentType="*" OR labelType="*" | eval LabelType=coalesce(labelType, documentType) | eval event = case (like(event,"%Sync%"),"Sync",like(event,"%Async%"),"Async") | rex mode=sed "s/1067/Windrunner/g" field=sourceNodeCode | rex mode=sed "s/531/SFS/g" field=sourceNodeCode | rex mode=sed "s/EUROPE_MIDDLE_EAST_AFRICA/EMEA/g" field=geoCode | eval Geo=geoCode,Node=sourceNodeCode | eval syncelapsed=if(source like "%gps-request-processor%",elapsedTime,null()) | eval asyncelapsed=if(source like "%gps-external-processor%" OR source like "%gps-artifact-processor%",elapsedTime,null()) | stats count(eval(status="Received" AND source like "%gps-request-processor%" )) as received count(eval(deliveryStatus="Success")) as delivered count(eval(status="Failed")) as failed avg(syncelapsed) as syncelapsedtime avg(asyncelapsed) as asyncelapsedtime avg(deliveryElapsedTime) as deliverytime by Node Geo LabelType event
11-30-2022
11:55 PM
Hi Dears,
When I search only IPs without field names in Firewall indexes search is fast, like:
index="EX" "X.X.X.X" OR "X.X.X.X" OR X.X.X.X" OR X.X.X.X" OR X.X.X.X"
But when I include field nam...
See more...
Hi Dears,
When I search only IPs without field names in Firewall indexes search is fast, like:
index="EX" "X.X.X.X" OR "X.X.X.X" OR X.X.X.X" OR X.X.X.X" OR X.X.X.X"
But when I include field name as in below, the search takes a lot of time specially in Firewall index. (Though I believe it should take less time from above search because it searches for only specific field).
index="EX" dest_ip="X.X.X.X"OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X" OR dest_ip="X.X.X.X"
Please your support.
Best Regards,
11-30-2022
11:53 PM
Hello Splunkers,
Workflows are monitored through splunk. Workflows has different stages like running , paused, cancelled and completed. I have to get the latest status of the workflow. I am using s...
See more...
Hello Splunkers,
Workflows are monitored through splunk. Workflows has different stages like running , paused, cancelled and completed. I have to get the latest status of the workflow. I am using sort - _time option to get the latest data of the status. Along with the search query by using the sort - _time option, data count varies.
For last 7 days
index=... | table _time EXECUTION_NAME STATUS EXECUTION_ID Stage Environment source | dedup EXECUTION_ID | chart count(EXECUTION_ID) as Workflows_Triggered by Environment,STATUS
Environment COMPLETED PAUSED RUNNING
XXX
94498
1
56
sort -_time option is used for last 7 days.
index=... | table _time EXECUTION_NAME STATUS EXECUTION_ID Stage Environment source | sort -_time | dedup EXECUTION_ID | chart count(EXECUTION_ID) as Workflows_Triggered by Environment,STATUS
Environment COMPLETED RUNNING
XXX
9735
5
reason for using sort -_time is get the latest status of the execution_id. completed will be appeared when the dedup is done.
_time STATUS EXECUTION_ID
2022-11-30 12:20:00.492
RUNNING
12345678901
2022-11-30 12:20:18.000
COMPLETED
12345678911
Requesting for support. Thank you !!!
11-30-2022
11:46 PM
Hi All,
Below is the sample data looks like.
sourcetype_1
s1_field1: 123
s1_field2: {
{
ID: 2
Name: ABC
}, {
ID: 1
Name: XYZ
}
}
s1_field3 : Completed
sourcetype_2
s2_fi...
See more...
Hi All,
Below is the sample data looks like.
sourcetype_1
s1_field1: 123
s1_field2: {
{
ID: 2
Name: ABC
}, {
ID: 1
Name: XYZ
}
}
s1_field3 : Completed
sourcetype_2
s2_field1: 123
s2_field2: {
{
CID: 3
Info: XXX
},
{
CID: 2
Info: YYY
},
}
s2_field3: N
Here first i need to match s1_field1 of source1 to s2_field1 of source2.If its matching then I need to match the s2_field1 's CID of source2 with s1_field2's ID of source 1.If matches then need to fetch the all other fields of both source 1 and source 1.
Expecting data like below:
ID:2
Name:ABC
Info: YYY
Please suggest.
Labels
- Labels:
-
fields
-
join
-
stats
-
subsearch
-
transaction
11-30-2022
11:43 PM
Hi,
i want to recover my web page password though configuration but in this case i lost my passwd file in ETC folder so, is there any possible to resolve it?
can you pleaes
- Tags:
- recover password
Labels
- Labels:
-
using Splunk Enterprise
11-30-2022
11:41 PM
Hi all.
I have a running query I see on the jobs page on Splunk but I cannot find the related alert/dashboard it's coming from. There is no name like when an alert is running, but just the search q...
See more...
Hi all.
I have a running query I see on the jobs page on Splunk but I cannot find the related alert/dashboard it's coming from. There is no name like when an alert is running, but just the search query instead.
Is there a query I can reverse search this search query in order to find the alert/dashboard?
11-30-2022
10:41 PM
This query returns the url with errors at 5m span, I just want to filter out those errors that occur at consecutive intervals, like 9:00 and 9:05.
index = index uriPath=url* |bin span=5m _time
I st...
See more...
This query returns the url with errors at 5m span, I just want to filter out those errors that occur at consecutive intervals, like 9:00 and 9:05.
index = index uriPath=url* |bin span=5m _time
I stats count as Volume, count(eval(httpCode<=299)) as "Success" , count (eval (httpCode>399)) as Fail by urlPath _time I eval F=round (Fail*100/Volume, 2) | where FP> 2 and Volume > 50
Labels
11-30-2022
10:33 PM
Hi All, Need help on sending data through UF. Background We have single PROD Splunk instance acting as all in one server and all the configs are present in this server(ex. props , transforms...
See more...
Hi All, Need help on sending data through UF. Background We have single PROD Splunk instance acting as all in one server and all the configs are present in this server(ex. props , transforms. etc). Currently we are ingesting data using add data from Splunk UI. we are uploading data for couple of sources and using props.conf for data parsing. props.conf is defined on basis on sourcetype ex:sourcetypeA, and this config is present in app called appA.
and when we upload data using upload data option data is parsing correctly , this way of ingesting happing for more than year and everything working fine .
Current Issue recently we installed UF on one of the system and configured UF to send the data to Splunk instance(which is single component) UF---->SH
as a part of testing we sent file A from UF for sourcetype sourcetypeA to Splunk instance , props.conf settings are not applied on search head. later we used the same file A, ingested using data upload option in UI, mentioned souretype as sourcetypeA, parsing working fine(which is excepted behavior).
but its not working while sending data from UF Checked internal logs of both UF and SH no errors found for this source type. what causing issue to not apply props ? can you anyone suggest. inputs.conf on UF
[monitor://fileA] index = index1 _TCP_ROUTING = uf_default crcSalt = <SOURCE> sourcetype = sourcetypeA
props.conf on SH [sourcetypeA] CHARSET = MS-ANSI FIELD_DELIMITER = ; INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = Time TIME_FORMAT = %d.%m.%Y %H:%M TZ = IST category = Structured disabled = false pulldown_type = true TRUNCATE = 50000 FIELD_QUOTE = " BREAK_ONLY_BEFORE_DATE = DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) EVAL-name = <condition> LOOKUP-name = <condition> FIELDALIAS-name = <condition>
Labels
- Labels:
-
universal forwarder
11-30-2022
09:24 PM
Hi Splunkers
I am looking to get some help in spl for following use case
| makeresults count=4
| streamstats count
| eval src=case(count=1, "2.3.5.6", count=2, "3.3.3.3", count=3, "1.1.1.6", ...
See more...
Hi Splunkers
I am looking to get some help in spl for following use case
| makeresults count=4
| streamstats count
| eval src=case(count=1, "2.3.5.6", count=2, "3.3.3.3", count=3, "1.1.1.6", count=4, "4.5.6.4")
| eval dest = case(count=1, "4.5.6.4", count=2, "4.5.6.4", count=3, "2.2.2.6", count=4,"2.3.5.6")
I want to get only event1 and event4 . In this case event1 src=dest event4 and event1 dest=src event4. This is only a run anywhere example. In real there will be thousands of events and I want to compare event x src=dest event y
Thanks
Bhupi
11-30-2022
08:41 PM
EPP: {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_...
See more...
EPP: {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_LOGID_11002","user_name":"ppart","data_uuid":"35a5e74d-c4ad-4f25-ba9f-830c6-WINDOWS", "유형":"11000"}}
필드 추출이 잘 안되는데 어떻게 해야 하나요?
Labels
- Labels:
-
JSON
11-30-2022
07:31 PM
Hi,
My client has encountered the following issue below and I was just wondering if anyone has encountered something similar?
- Encountered the following error eventtype "xxxxxxxxx" does not exis...
See more...
Hi,
My client has encountered the following issue below and I was just wondering if anyone has encountered something similar?
- Encountered the following error eventtype "xxxxxxxxx" does not exist or is disabled when running a search using a specific index/sourcetype. They have mentioned that the affected eventtype has the proper permissions.
- Search is able to return results for a shorter timeframe (ie 3 months) as compared to a longer timeframe (1 year).
Thank you in advance for any information given
Mikhael
Labels
- Labels:
-
subsearch
11-30-2022
06:19 PM
Hi, I recently created a nicely formatted dashboard which has its tables colour coded according to search results. However, any exports I try result in none of the formatting being exported - just pl...
See more...
Hi, I recently created a nicely formatted dashboard which has its tables colour coded according to search results. However, any exports I try result in none of the formatting being exported - just plain white tables without any colour or formatting done which I do require in some way for presentation. Is there a way to keep that xml in the export?
11-30-2022
12:47 PM
We have this script in the Splunk_TA_windows_v8 app directory named nt6-repl-stat.ps1. I'm seeing a lot of errors in our _internal index around it. When I piece the errors together, I get:
. : The ...
See more...
We have this script in the Splunk_TA_windows_v8 app directory named nt6-repl-stat.ps1. I'm seeing a lot of errors in our _internal index around it. When I piece the errors together, I get:
. : The term 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\bin\powershell\nt6-repl-stat.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:3 + . 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Program File...6-repl-stat.ps1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
What am I missing here?
Labels
- Labels:
-
troubleshooting
11-30-2022
12:40 PM
I have a index which would return logs. I would like to know how much storage is used for logs in a specific time range. How could I write the query or do this from UI? Thanks.
Labels
- Labels:
-
license usage
-
resource usage
11-30-2022
12:40 PM
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The follow...
See more...
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/E=support@splunk.com I dont need to encypt splunk commuications from universal forwarder to splunk server, I just want Tenable to see a signed cert on this port so it doesnt complain. Where is this file and can I replace it with my fullchain.pem from Letsencrypt that is already elsewhere on this host? thanks, Matt
- Tags:
- 8089
- certificate
- ssl
Labels
- Labels:
-
Linux
-
universal forwarder
11-30-2022
12:39 PM
We have a perpetual license and are currently running an on prem set up of version 7 (windows) on several servers. We want to create a new splunk environment in our private cloud. Can i download th...
See more...
We have a perpetual license and are currently running an on prem set up of version 7 (windows) on several servers. We want to create a new splunk environment in our private cloud. Can i download the free trial and then copy my license to that ? Would it be an issue with that being 9 Can i just copy the license file from our License master in our current environment and move it over?
11-30-2022
11:57 AM
I have tried to create a search that uses a csv file for inputting a listing of hosts that I want to search for a particular EventID and if I find the ID we will create a ticket. I can list out the i...
See more...
I have tried to create a search that uses a csv file for inputting a listing of hosts that I want to search for a particular EventID and if I find the ID we will create a ticket. I can list out the information (which is just a list of server/hosts) but I can't apply it to a search.
- Tags:
- search
Labels
- Labels:
-
configuration
-
using Splunk Cloud
